Collegiate Penetration Testing Competition: 2018 Nationals Review

The National Collegiate Penetration Testing Competition provides a unique opportunity for students to build and hone their security skills in a fun, competitive, and real world simulated environment. After being involved in previous years, and now the 2018 event, Tom's blog post shares some of his experiences about what really goes on during these cool events.

CPTC is a unique way for students to hone their skills for the real world

Over the past 4 years, I’ve been involved with the National Collegiate Penetration Testing Competition (CPTC). This event was created with the goal of becoming the premiere collegiate offensive security competition. What makes CPTC unique is that it focuses on much more than identifying and exploiting vulnerabilities.

Teams are challenged to serve as an outside penetration testing firm for a fictitious company created for the event. During the competition they are scored on factors such as professionalism, report clarity and quality, and - at the national level - a presentation to an executive-level board of industry professionals.

The emphasis on communication and professionalism is modeled after the real-life experiences that students will have to face in the workforce. The intention is to provide an experience unlike any other similar offensive security competition.

A large amount of time, energy, and creativity is included in these events

For the 2018 CPTC season, I had the opportunity to serve as lead of the white team, which meant I was ultimately responsible for communicating with teams before and during the event. I also played the role of the Director of Technical Operations (using my pseudonym, Tom Omarah) for Wheelz, the fictional autonomous transportation company we created for the event.

Students participating in this year’s CPTC events faced the following challenge: each team of up to six members was representing a pentesting firm that was tasked to perform an assessment of the Wheelz infrastructure.

For the first round (regionals), teams proved their abilities by performing an assessment and writing a report for the Wheelz corporate network. The top teams across the nation (two from each region, as well as four at-large winners) were invited to perform a follow-up test on a larger infrastructure. This is the second year we’ve operated regional competitions (a feat within itself, since all of them occur simultaneously on the same weekend). We’re potentially looking to expand this model in the coming years as interest develops.

Our main priority is to make the simulated environment as real as possible

There were several elements we chose to emphasize for this year’s event in order to enhance the realism and educational value of the event:

Expose students to the interdepartmental/internal company politics that are (sadly) all too common within larger corporations.

Integrate data into the environment (such as internal emails, chat messages, and publicly available social media posts) to support the storyline of the company and event.

Emphasize real-time use of email communication during the course of an engagement.

Give every team the opportunity to present material at both the regional and national events.

Integrate the team coaches into the event, and give them the knowledge and experience to drive them to make their teams better in the future.

From my perspective, the addition of data supporting the storyline was one of the best parts of this year’s national event. Fellow CPTC advisory board member Dan Borges did an amazing job leading the team who made all this happen.

This data included a bunch of chat history and e-mail messages to support the narrative of a potential insider threat, along with other findings (e.g. user credentials and information about internal systems).

Example chat messages

From the Hurricane Labs perspective, we collected a ton of data from the systems (over 300gb during the ~10 hours of competition for the national event), and fully monitored the environment with Splunk forwarders and other monitoring agents (such as Suricata) on nearly everything.

I hope to cover some more interesting findings from that data set in a future blog post, but here’s a teaser:

Suricata IDS alerts generated by team

There were so many awesome real world outcomes from this year’s event

A bunch of cool things that happened during this year’s events, including:

At least four graduate dissertations will be using the data set collected during the events, and we’re looking to make this data more widely available for research purposes.

IBM (the premiere sponsor of the event) brought their brand new X-Force Command Cyber Tactical Operations Center (a security operations center on wheels) to RIT for us to tour.

The Stanford team identified a 0-day vulnerability in a commercial application deployed in the environment. This has been disclosed to the vendor and a CVE is in progress.

Huge thanks to everyone involved in this year’s National CPTC event!

Congratulations to Stanford University for taking home the 2018 National CPTC championship trophy, and thanks to everyone who had a part in this year’s events as a member of the advisory board, volunteer, faculty, coach, or student competitor. I’m looking forward to seeing what the 2019 CPTC season brings, and doing everything I can with the support of a great team to make next year’s events even better.